Learn/Cryptography/Glossary/

What is bcrypt

bcrypt is a password hashing function designed to be slow. Published in 1999 by Niels Provos and David Mazieres, it is based on the Blowfish cipher and includes a configurable cost factor that controls how many iterations the algorithm performs. As hardware gets faster, you increase the cost factor to keep hashing slow, maintaining resistance to brute-force attacks over time.

How it works

bcrypt takes three inputs: the password, a salt, and a cost factor. The cost factor is a power of 2 -- a cost of 12 means 2^12 (4096) iterations of the internal key schedule. Each iteration is computationally expensive, deliberately wasting CPU time.

The output is a single string that encodes everything needed to verify the password:

$2b$12$LJ3m4ys3GZxK7.KJ5HnQVOYTO5GxL/VjIDtMrXKb4VLkq7eLNmJSO

This contains: the algorithm identifier ($2b$), the cost factor (12), the 22-character Base64-encoded salt, and the 31-character Base64-encoded hash. No separate salt storage is needed.

To verify a password, the system extracts the salt and cost factor from the stored string, hashes the candidate password with the same parameters, and compares the results using constant-time comparison.

bcrypt has a key limitation: it truncates passwords at 72 bytes. Passwords longer than 72 bytes are effectively the same as their first 72 bytes. Some implementations work around this by pre-hashing the password with SHA-256 before passing it to bcrypt.

Modern alternatives include scrypt (memory-hard, resists GPU attacks) and Argon2 (winner of the 2015 Password Hashing Competition, configurable for both time and memory cost). Argon2id is now the recommended choice for new systems. However, bcrypt remains widely deployed, well-understood, and secure at appropriate cost factors. A cost of 12-14 is typical for current hardware, producing hash times of 200-800 ms.

Why it matters

General-purpose hash functions like SHA-256 are too fast for password hashing -- an attacker can test billions of guesses per second. bcrypt's deliberate slowness is the defense. It ensures that even if an attacker steals the hash database, brute-forcing each password takes meaningful time.

See How Hashing Works for the full walkthrough of hash functions, salts, and password storage best practices.

Related

This concept appears in